mobility and firewall
Ivan Krstic
krstic at hcs.harvard.edu
Fri Jun 3 18:44:02 CDT 2005
>>Very simple. You are on a laptop in an internet cafe. Without a personal
>>firewall you are vulnerable to anybody including people at the next
>>table. With a personal firewall you have at least some form of
>>protection.
> And what about this idea: Yes, you are protected from the nasty
> internet behind some type of hardware appliance firewall but you cannot
> trust users on the same LAN!
I don't follow. Defending against an untrusted network implies
firewalling inbound traffic, which is pointless[0] since the default
install doesn't come with any listening services. If you install
listening services, you probably ought to configure the firewall
yourself if you want to restrict access to them.
If you're talking about firewalling outbound traffic, all the proposals
so far are useless. The only way this could work if every package that
communicated with the network provided special firewall-rule metadata,
or some type of central firewall rule repository kludge was done. There
doesn't exist a good outbound firewalling solution; things like
ZoneAlarm on Windows only protect experienced users. Inexperienced users
are very quickly conditioned to click 'Allow' every time the access
dialog pops up.
-IK
[0] Restricting inbound traffic to RELATED, ESTABLISHED by default would
presumably provide you some protection against potential flaws in the
TCP/IP stack at the expense of exposing you to potential flaws in
netfilter, which makes it seem like an exercise in futility to me.
More information about the ubuntu-devel
mailing list